SAP Security Patch Day – December 2025
On December 9, 2025, SAP released 14 Security Notes as part of its monthly Security Patch Day, including an updated fix for November’s critical SAP Solution Manager code injection vulnerability. This release continues the pattern of high-impact issues, with 3 Critical-severity notes (CVSS 9.1–9.9), 4 High-severity notes (CVSS 7.1–8.2), and 7 Medium-severity notes (CVSS 5.4–6.6), largely centered on code execution, availability attacks, and access control weaknesses across core NetWeaver, S/4HANA, and web-facing components.
Key Highlights by Severity
Critical Priority (CVSS 9.9 - 9.1)
- Solution Manager rework (CVSS 9.9, Note 3685270): Extends November’s code injection fix by sanitizing additional input paths in remote-enabled function modules, closing a scenario not covered in the original correction while still allowing low-privilege authenticated attackers to reach sensitive functionality if unpatched.
- SAP Commerce Cloud / Apache Tomcat (CVSS 9.6, Note 3683579): Multiple Tomcat issues (console manipulation and relative path traversal) affect Commerce Cloud 2205, 2211, and 2211-JDK21, addressed through specific patch releases and mandatory rebuild/redeploy, underlining how third‑party components can become a single point of failure.
- SAP jConnect deserialization (CVSS 9.1, Note 3685286): A deserialization flaw in SDK for ASE 16.0.4 and 16.1 allows high-privileged users to trigger remote code execution, mitigated by disabling dangerous serialization paths and enforcing safer connection property values in new patch levels.
Critical Priority (CVSS 8.2 - 7.1)
- Sensitive data exposure in Web Dispatcher/ICM (CVSS 8.2, Note 3684682): Internal testing interfaces controlled by the icmHTTPicmtestx parameter can expose diagnostics and enable crafted requests when enabled in production, requiring manual profile cleanup and restarts.
- DoS in Xcelsius remote service (CVSS 7.9, Note 3640185): The legacy NetWeaver remote service for Xcelsius on BI 7.50 is removed entirely to address a DoS and potential arbitrary code execution vector, reflecting SAP’s move to decommission Flash‑era components.
- DoS in SAP Business Objects (CVSS 7.5, Note 3650226) and memory corruption in Web Dispatcher/ICM/Content Server (CVSS 7.5, Note 3677544): These issues rely on updated third‑party components and kernel patches to restore safe resource handling and memory management.
- Missing authorization in S/4HANA Financials GL (CVSS 7.1, Note 3672151): A logic error allows a user restricted to one company code to read and post documents across all codes, corrected via updated checks and guided by a functional prerequisite note.
High Priority (CVSS 6.6–5.4)
- Broken authentication in NetWeaver Internet Communication Framework (CVSS 6.6, Note 3591163): Token reuse and identity handling errors permit high‑privilege attackers to bypass expected authentication flows until kernel-level corrections are applied.
- Information disclosure in ABAP Server kernel (CVSS 6.5, Note 3662324): A regression from an earlier kernel note disables ABAP list masking, exposing unmasked sensitive values; December’s note restores the protection and clarifies affected kernel patch levels.
- XSS in Enterprise Portal, DoS in SAPUI5 Markdown‑it, missing authorization in Enterprise Search, and SSRF in BusinessObjects BI Platform round out the set, collectively highlighting browser-side and API‑level exposure.
Key Affected Components
SAP NetWeaver & Kernel:
NetWeaver and its kernel ecosystem are prominent again, with notes on Internet Communication Framework, Enterprise Portal, ABAP Server, and the Xcelsius remote service, plus kernel-level exposure in Web Dispatcher and ICM. This concentration shows that technical debt in long‑lived platform components continues to surface as authentication flaws, XSS, DoS, and subtle regressions in masking behavior.
SAP Web Dispatcher, ICM, and Content Server:
Three notes target the “edge” of SAP landscapes: sensitive testing interfaces, memory corruption, and information disclosure via kernel behavior all affect how safely systems expose HTTP entry points and content services. Because these components often front entire landscapes, any misconfiguration or missing patch can widen the blast radius of an attack dramatically.
SAP Solution Manager, Commerce Cloud, and jConnect:
The updated Solution Manager note and the Tomcat/jConnect vulnerabilities show that management tools, e‑commerce stacks, and database connectivity layers remain high‑value targets. Each sits in a privileged position: Solution Manager in operations, Commerce Cloud in customer‑facing flows, jConnect between apps and data. A single injection or RCE can quickly cascade into full‑landscape compromise.
S/4HANA and BusinessObjects:
S/4HANA’s General Ledger and BusinessObjects BI platform both feature prominently, with authorization gaps and DoS/SSRF vectors that can disrupt or expose core financial and reporting processes. When combined with Web Dispatcher and ICM issues, the risk profile spans from the UI down to data access and transport.
Notable Trends
Deserialization Hardening Continuation:
The critical update to October’s deserialization security note (now at version 40) demonstrates ongoing commitment to strengthening NetWeaver AS Java defenses through extensive optional class blocking.
Business Connector Security Deficit:
Four vulnerabilities affecting SAP Business Connector 4.8, all addressed through CoreFix 5, reveal concentrated security weaknesses spanning injection, traversal, redirect, and XSS attack vectors.
Code Injection Dominance:
Four notes address various injection vulnerabilities (code injection, OS command injection, SQL injection, JNDI injection), representing the most prevalent vulnerability class this month.
Authorization and Authentication Gaps:
Three notes address missing authorization checks or authentication mechanisms, particularly in NetWeaver AS ABAP, S/4HANA components, and HANA hdbrss.
Update Pattern Refinement:
2 updates to previous notes from October and February releases demonstrate SAP’s iterative approach to critical fixes.
Information Exposure Concerns:
Three information disclosure vulnerabilities highlight data protection challenges across client and server components.
The botton line
December’s release continues the high‑threat environment of 2025 and calls for coordinated action:
- Emergency Patching Required for the three Critical vulnerabilities: Solution Manager code injection update (Note 3685270), Commerce Cloud Tomcat issues (Note 3683579), and jConnect deserialization (Note 3685286), with close attention to prerequisite notes and exact patch levels.
- Gateway Hardening and Profile Cleanup by removing icmHTTPicmtestx parameters, applying kernel fixes for memory corruption and ABAP list masking, and verifying Web Dispatcher/ICM/Content Server patch levels.
- Decommissioning Legacy Services such as the Xcelsius remote service in BI 7.50, aligning technical reality with the long‑announced end of life of Flash‑based tooling.
- Access Control and Authentication Reviews in S/4HANA Financials, Enterprise Search, and NetWeaver ICF to ensure that new logic changes do not silently reintroduce privilege escalation paths.
- Third-Party Component Governance for Tomcat, Markdown‑it, and other embedded libraries, incorporating them into vulnerability management and upgrade processes.
This month’s notes reinforce that patching is necessary but not sufficient: organizations must combine timely updates with configuration governance, monitoring, and architectural reviews to keep pace with evolving attack techniques.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats. Contact us today to fortify your SAP environment.
You must be logged in to post a comment.